DNS CNAME query recursion not using same transport

[StoneMoe]

Operating system

Others

System version

FreeBSD 14.3

Installation type

Original sing-box Command Line

If you are using a graphical client, please provide the version of the client.

No response

Version

1.12.17

Description

it seems sing-box returns CNAME responses to the client (or system), which then triggers a new DNS query that goes through the routing matching process again.

which usually breaks user's intention if the initial DNS query and the following recursive query are routing to different geolocation DNS server.

also I noticed commit 3016338 include the logic which query CNAME targets with same transport in a loop.

sing-box/dns/client.go

Lines 155 to 189 in 3016338

	/*if question.Qtype == dns.TypeA || question.Qtype == dns.TypeAAAA {
	validResponse := response
	loop:
	for {
	var (
	addresses int
	queryCNAME string
	)
	for _, rawRR := range validResponse.Answer {
	switch rr := rawRR.(type) {
	case *dns.A:
	break loop
	case *dns.AAAA:
	break loop
	case *dns.CNAME:
	queryCNAME = rr.Target
	}
	}
	if queryCNAME == "" {
	break
	}
	exMessage := *message
	exMessage.Question = []dns.Question{{
	Name: queryCNAME,
	Qtype: question.Qtype,
	}}
	validResponse, err = c.Exchange(ctx, transport, &exMessage, options, responseChecker)
	if err != nil {
	return nil, err
	}
	}
	if validResponse != response {
	response.Answer = append(response.Answer, validResponse.Answer...)
	}
	}*/

looks like what I'm reporting in this issue, but it got commented out.

Reproduction

Minimum config:

Details

{
    "log": {
        "level": "trace",
        "output": "/var/log/singbox.log"
    },
    "dns": {
        "disable_cache": true,
        "reverse_mapping": true,
        "final": "google-dns",
        "rules": [
            {
                "rule_set": "geosite-cn",
                "action": "route",
                "server": "ali-dns"
            }
        ],
        "servers": [
            {
                "tag": "google-dns",
                "type": "udp",
                "server": "8.8.8.8",
                "detour": "proxy"
            },
            {
                "tag": "ali-dns",
                "type": "tls",
                "server": "223.5.5.5",
                "detour": "direct"
            }
        ]
    },
    "route": {
        "rules": [
            {
                "inbound": "dns-in",
                "action": "hijack-dns"
            }
        ],
        "rule_set": [
            {
                "tag": "geosite-cn",
                "type": "remote",
                "format": "binary",
                "url": "https://raw.githubusercontent.com/SagerNet/sing-geosite/rule-set/geosite-cn.srs"
            }
        ]
    },
    "inbounds": [
        {
            "tag": "dns-in",
            "type": "direct",
            "listen": "127.0.0.1",
            "listen_port": 10053
        }
    ],
    "outbounds": [
        {
            "tag": "direct",
            "type": "direct",
            "domain_resolver": "ali-dns"
        }
    ]
}

dig www.tesla.cn output:

> dig www.tesla.cn A +short
san.teslamotors.com.edgekey.net.
san.teslamotors.com.edgekey.net.globalredir.akadns.net.
e2871.x.akamaiedge.net.
23.44.216.104

Logs

Details

DEBUG [3921735230 0ms] dns: exchange www.tesla.cn. IN A
DEBUG [3921735230 0ms] dns: match[1] rule_set=geosite-cn => route(ali-dns)
INFO [3921735230 0ms] outbound/direct[direct]: outbound connection to 223.5.5.5:853
DEBUG [122263698 364ms] dns: exchanged www.tesla.cn NOERROR 30
INFO [122263698 364ms] dns: exchanged CNAME www.tesla.cn. 30 IN CNAME san.teslamotors.com.edgekey.net.
INFO [122263698 364ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net. 30 IN CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net.
INFO [122263698 364ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 30 IN CNAME e2871.ca2.s.tl88.net.
INFO [122263698 364ms] dns: exchanged SOA ca2.s.tl88.net. 30 IN SOA n0ca2.s.tl88.net. hostmaster.akamai.com. 1000 1000 1000 1800
INFO [122263698 364ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x001e, udp: 1232
DEBUG [3331155685 298ms] dns: exchanged www.tesla.cn NOERROR 117
INFO [3331155685 298ms] dns: exchanged CNAME www.tesla.cn. 117 IN CNAME san.teslamotors.com.edgekey.net.
INFO [3331155685 298ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net. 117 IN CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net.
INFO [3331155685 298ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 117 IN CNAME e2871.ca2.s.tl88.net.
INFO [3331155685 298ms] dns: exchanged SOA ca2.s.tl88.net. 117 IN SOA n0ca2.s.tl88.net. hostmaster.akamai.com. 1000 1000 1000 1800
INFO [3331155685 298ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0075, udp: 1232
INFO [1448410536 0ms] inbound/direct[dns-in]: inbound packet connection from 127.0.0.1:20297
INFO [1448410536 0ms] inbound/direct[dns-in]: inbound packet connection to 127.0.0.1:10053
DEBUG [1448410536 0ms] router: match[0] inbound=dns-in => hijack-dns
DEBUG [1448410536 0ms] dns: exchange san.teslamotors.com.edgekey.net. IN AAAA
DEBUG [1448410536 31ms] dns: exchanged san.teslamotors.com.edgekey.net NOERROR 57
INFO [1448410536 31ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net. 57 IN CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net.
INFO [1448410536 31ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 57 IN CNAME e2871.x.akamaiedge.net.
INFO [1448410536 31ms] dns: exchanged SOA x.akamaiedge.net. 57 IN SOA n0x.akamaiedge.net. hostmaster.akamai.com. 1000 1000 1000 1800
INFO [1448410536 31ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0039, udp: 512
INFO [1568217679 0ms] inbound/direct[dns-in]: inbound packet connection from 127.0.0.1:55481
INFO [1568217679 0ms] inbound/direct[dns-in]: inbound packet connection to 127.0.0.1:10053
DEBUG [1568217679 0ms] router: match[0] inbound=dns-in => hijack-dns
DEBUG [1568217679 0ms] dns: exchange san.teslamotors.com.edgekey.net.globalredir.akadns.net. IN AAAA
DEBUG [3921735230 143ms] dns: exchanged www.tesla.cn NOERROR 19
INFO [3921735230 143ms] dns: exchanged CNAME www.tesla.cn. 19 IN CNAME san.teslamotors.com.edgekey.net.
INFO [3921735230 143ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net. 19 IN CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net.
INFO [3921735230 143ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 19 IN CNAME e2871.ca2.s.tl88.net.
INFO [3921735230 143ms] dns: exchanged A e2871.ca2.s.tl88.net. 19 IN A 115.152.251.36
INFO [3921735230 143ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x0013, udp: 1232
INFO [2409807490 0ms] inbound/direct[dns-in]: inbound packet connection from 127.0.0.1:38374
INFO [2409807490 0ms] inbound/direct[dns-in]: inbound packet connection to 127.0.0.1:10053
DEBUG [2409807490 0ms] router: match[0] inbound=dns-in => hijack-dns
DEBUG [2409807490 0ms] dns: exchange san.teslamotors.com.edgekey.net. IN A
DEBUG [1568217679 44ms] dns: exchanged san.teslamotors.com.edgekey.net.globalredir.akadns.net NOERROR 1000
INFO [1568217679 44ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 1000 IN CNAME e2871.x.akamaiedge.net.
INFO [1568217679 44ms] dns: exchanged SOA x.akamaiedge.net. 1000 IN SOA n0x.akamaiedge.net. hostmaster.akamai.com. 1000 1000 1000 1800
INFO [1568217679 44ms] dns: exchanged OPT OPT PSEUDOSECTION: EDNS: version 0 flags: MBZ: 0x03e8, udp: 512
INFO [1928723677 0ms] inbound/direct[dns-in]: inbound packet connection from 127.0.0.1:23048
INFO [1928723677 0ms] inbound/direct[dns-in]: inbound packet connection to 127.0.0.1:10053
DEBUG [1928723677 0ms] router: match[0] inbound=dns-in => hijack-dns
DEBUG [1928723677 0ms] dns: exchange e2871.x.akamaiedge.net. IN AAAA
DEBUG [2409807490 48ms] dns: exchanged san.teslamotors.com.edgekey.net NOERROR 20
INFO [2409807490 48ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net. 20 IN CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net.
INFO [2409807490 48ms] dns: exchanged CNAME san.teslamotors.com.edgekey.net.globalredir.akadns.net. 20 IN CNAME e2871.x.akamaiedge.net.
INFO [2409807490 48ms] dns: exchanged A e2871.x.akamaiedge.net. 20 IN A 23.215.188.102

Supporter

• I am a sponsor

Integrity requirements

• I confirm that I have read the documentation, understand the meaning of all the configuration items I wrote, and did not pile up seemingly useful options or default values.
• I confirm that I have provided the server and client configuration files and process that can be reproduced locally, instead of a complicated client configuration file that has been stripped of sensitive data.
• I confirm that I have provided the simplest configuration that can be used to reproduce the error I reported, instead of depending on remote servers, TUN, graphical interface clients, or other closed-source software.
• I confirm that I have provided the complete configuration files and logs, rather than just providing parts I think are useful out of confidence in my own intelligence.

[StoneMoe]

I can understand comment that out can keep the DNS logic clean and pretty.

maybe an optional "cname_flattening" config entry could help.

https://developers.cloudflare.com/dns/cname-flattening/

[StoneMoe]

Missing support for cname flattening breaks non-fakeip usage a lot, since CNAME based global traffic balancing design is a pretty common for multi-region services.

I noticed you closed the PR, is there any alternative approach to solve this problem?